Zero Trust model creator John Kindervag puts it like this: “The point of Zero Trust is not to make networks, clouds, or endpoints more trusted; it's to eliminate the concept of trust from digital systems altogether.” He came up with the model in 2010, at a time when many businesses were just beginning to put foundational cybersecurity controls in place and over-relied on the assumed security inside their enterprise-owned network boundaries.
Traditional cybersecurity best practices were heavily focused on protecting the boundaries of the private network. Unfortunately, this led to a certain level of implicit trust toward any activity taking place inside the network—a perfect cognitive blindspot for threat actors to exploit.
What is Zero Trust?
The Zero Trust model suggests that all activity taking place, even inside your trusted network, requires the same level of scrutiny and verification as you would use with activity coming from outside the network. With the proliferation of bring-your-own-device and remote workforce culture, new risks are constantly introduced to the network. Doing away with the notion of “trusted” users and devices helps security teams stay vigilant.
Looking at all interactions as unverified leads security practitioners to make a greater effort to establish controls to authenticate and secure user behavior as if it’s coming from a potential threat.
The Microsoft strategy
Microsoft provides a set of three critical security objectives you can use as the basis for enacting Zero Trust within your IT environment, as listed here:
- Verify explicitly
Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification and anomalies.
- Use least privileged access
Limit user access with Just-In-Time and Just-Enough Access (JIT/JEA), risk-based adaptive policies and data protection to protect both data and productivity.
- Assume breach
Minimize blast radius for breaches and prevent lateral movement by segmenting access by network, user, devices and application awareness. Verify all sessions are encrypted end-to-end. Use analytics to get visibility, drive threat detection and improve defenses.
Enter SCM and FIM
Security configuration management (SCM) and file integrity monitoring (FIM) are two of the most important security controls you can add to your arsenal to enact the Zero Trust model in your network. If you’re not already familiar with these practices, let’s start with a quick description of each:
- SCM: SCM is a security practice that combines elements of vulnerability assessment, automated remediation, and configuration assessment. It reduces security risks by ensuring that systems are properly configured—hardened—to meet internal and/or regulatory security and compliance standards.
- FIM: FIM is the security technology pioneered by Tripwire that monitors and detects changes in your environment to detect and remediate cybersecurity threats. FIM actually goes beyond the files, and monitors for system integrity, alerting you to unauthorized changes across n servers, databases, network devices, directory servers, applications, cloud environments and virtual images.
Next, we can explore a couple of quick examples of the ways SCM and FIM can help you put Zero Trust into practice:
- Access creep abatement: SCM can aid in enforcing the JIT/JEA policies suggested by Microsoft above. Access creep is a common issue that occurs when a user’s permissions grow over time without routine reassessment. Access should be reduced when resources are no longer needed by the user. Permissions can quickly become excessive on file systems, and an SCM tool leveraging policy-based audits can keep the problem in check across all your devices. Your SCM tool should also alert you at any point when unnecessary access creates risk.
- Real-time change monitoring: FIM tools track changes across your users and devices to give you a clear picture of what changes are authorized or unauthorized so that you can remediate on any unexpected change or risk. Combined with agents that provide real-time monitoring, FIM tools give you enough visibility into what’s happening on your network to help enforce Zero Trust.
Zero Trust isn’t a benchmark you can “achieve,” but a network-hardening approach that merits ongoing effort over time. Even if you only dip your toes into the Zero Trust model, your security program stands to benefit in the long run.